Information
Advisory | XSA-272 |
Public release | 2018-08-14 17:00 |
Updated | 2018-08-20 09:46 |
Version | 3 |
CVE(s) | CVE-2018-15470 |
Title | oxenstored does not apply quota-maxentity |
Files
advisory-272.txt (signed advisory file)
xsa272.meta
xsa272.patch
Advisory
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Xen Security Advisory CVE-2018-15470 / XSA-272
version 3
oxenstored does not apply quota-maxentity
UPDATES IN VERSION 3
====================
CVE assigned.
ISSUE DESCRIPTION
=================
The logic in oxenstored for handling writes depended on the order of
evaluation of expressions making up a tuple.
As indicated in section 7.7.3 "Operations on data structures" of the
OCaml manual:
http://caml.inria.fr/pub/docs/manual-ocaml/expr.html
the order of evaluation of subexpressions is not specified. In
practice, different implementations behave differently.
IMPACT
======
oxenstored may not enforce the configured quota-maxentity.
This allows a malicious or buggy guest to write as many xenstore entries
as it wishes, causing unbounded memory usage in oxenstored. This can
lead to a system-wide DoS.
VULNERABLE SYSTEMS
==================
Xen 4.1 and later are potentially vulnerable.
Only systems using the OCaml xenstored implementation are potentially
vulnerable. Systems using the C xenstored implementation are not
vulnerable.
Whether the compiled oxenstored binary is vulnerable depends on which
compiler was used. OCaml can be compiled either as bytecode (with
ocamlc) or as a native binary (with ocamlopt).
The following OCaml program demonstrates the issue, and identifies
whether the resulting oxenstored binary will skip the quota enforcement.
$ cat order.ml
let check () =
let flag = ref false in
let update _ = flag := true; () in
List.iter update [1;2;3], !flag
let main () =
let _, flag = check () in
if flag then
print_endline "This code is not vulnerable!"
else
print_endline "This code is vulnerable!"
let () = main ()
$ ocamlc order.ml -o order.bytecode
$ ./order.bytecode
This code is vulnerable!
$ ocamlopt order.ml -o order.native
$ ./order.native
This code is not vulnerable!
To confirm whether an OCaml binary is bytecode or native, use file.
$ file order.bytecode
order.bytecode: a /usr/bin/ocamlrun script executable (binary data)
$ file order.native
order.native: ELF 64-bit LSB executable, ...
NOTE: These results are applicable to OCaml 4.01.0-5 as distributed in
Debian Jessie. These results are not representative of other versions
of OCaml, or of other OS distributions.
MITIGATION
==========
There are no mitigations available.
CREDITS
=======
This issue was discovered by Christian Lindig of Citrix.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
xsa272.patch All versions of Xen
$ sha256sum xsa272*
0da953ca48d0cf0688ecff6a074304a9d2217871809a76ef26b9addeb66ecb3e xsa272.meta
6e0359d89bf65794f16d39198cc90f5c3137bce4eb850e54625ab00e2c568c2c xsa272.patch
$
DEPLOYMENT DURING EMBARGO
=========================
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJbeo4OAAoJEIP+FMlX6CvZCO8H/Rj7Z+rFSuQAVEUKXvvV3lvJ
rytocZDTAIduyiBundcbdkcxfCuun6Tqw8ScPJXtml82P8YE+R/ix1hMLcQdYblt
tj3qftb6KtjFibctoc0sSLsfjhl2oJC2VjQR3HdixfMlSxEzLkCC3I21fteYs9fp
ahO7dByNHFTufbb9GpB+DANmIJ5hwMXxCinvts/L2MP/CCRfb4w5+aTARCQ3UHpX
3/r2wJxLnf4sNpBhHNsArROy8wS+ad0i4XC2fef/Bdye+NRbeICJNqof9fcGjWwE
fZRyeNVSk33DuuRz2HI4aoEKAQ/v3b3KLXnfVZY5F5z6Z8j9rie42RI8VDO8Mzc=
=Y10L
-----END PGP SIGNATURE-----
Xenproject.org Security Team